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O " Abstract 

In this paper, we focus on analyzing the period distribution of the inversive pseudorandom number generators 
(IPRNGs) over finite field (Zjy, +, X), where N > 3 is a prime. The sequences generated by the IPRNGs are 
■ transformed to 2-dimensional linear feedback shift register (LFSR) sequences. By employing the generating function 

method and the finite field theory, the period distribution is obtained analytically. The analysis process also indicates 
f-H ■ how to choose the parameters and the initial values such that the IPRNGs fit specific periods. The analysis results 

show that there are many small periods if N is not chosen properly. The experimental examples show the effectiveness 
of the theoretical analysis. 

Keywords: Inversive pseudorandom number generators (IPRNG); Linear feedback shift register (LFSR); Period 

lO . distribution; Finite field. 
OV 

I. Introduction 

OV 

O ' Pseudoramdom number generators (PRNGs) are deterministic algorithm that produces a long sequence of numbers 
^ \ that appear random and indistinguishable from a stream of random numbers [T], which are widely employed in 
j> . science and engineering, such as Monte Carlo simulations, computer games and cryptography. In recent years, a 
^ ■ variety of PRNGs based on nonlinear congruential method O, O, chaotic maps (H-Q and linear feedback shift 
C$ ; registers (LFSRs) [7J, [8] are proposed. These PRNGs are implemented on finite state machines, which lead to the 
fact that sequence generated by them are ultimately periodic. In cryptographic applications, a long period is often 
required. Once the period is not long enough, the encryption algorithms may be vulnerable to attacks, e.g., in Q, 
Kocarev et al. proposed a public key encryption algorithms based on Chebyshev polynomials over the finite field, 
but in (9], |[T0l , Chen et al. showed that if the period of the sequence generated by the Chebyshev polynomials is 
not sufficiently long, the public key encryption algorithm is easy to be decrypted. Therefore, it is worth to making 
clear that what are the possible periods of a PRNG and how to choose suitable control parameters and initial values 
such that the PRNG fits specific period, these knowledge helps in algorithm design and its related applications. 

In [9j, iflOll , Chen et al. analyzed the period distribution of the sequence generated by the Chebyshev polynomials 
over finite fields and integer rings, respectively, by employing the generating function method. In PH . Chen et al. 
analyzed the period distribution of the generalized discrete Arnold cat map over Galois rings by employing the 
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generating function method and the Hensel lifting method. In lfT2l . Chen et al. summarized their works on the 
period distribution of the sequence generated by the linear maps. 

In |fT3l , Chou described all possible period lengths of IPRNG (1) and showed that these period lengths are related 
to the periods of some polynomials. However, the author did not give the full information on period distribution, this 
leads to the limitation of the applications of IPRNGs. In |[T4l . Sole et al. proposed an open problem of arithmetic 
interest to study the period of the IPRNGs and to give conditions bearing on a, b to achieve maximal period. 
Although their considered state space is a Galois ring, it is also significant to study this problem in finite field. 
Recent results on the distribution property in parts of the period of this generator over finite fields can be found 
in fT31 , |[T6l and it would be interesting to generalize these results to arbitrary parts of the period. If the the full 
information on the period distribution is known, we could do such a work. 

Motivated by the above discussions, we focus on analyzing the period distribution of the IPRNGs over the finite 
field (Z N , +, x), where N > 3 is a prime. The analysis process is that, first, to make exact statistics on the periods 
of model (1), then count the number of IPRNGs for each specific period when a, b and xq traverse all elements 
in Z N . The sequences generated by model (1) are transformed to 2-dimensional LFSR sequences which is the 
foundation of the stream ciphers ifTTl . Then, the detailed period distribution of IPRNGs is obtained by employing 
the generating function method and the finite field theory. The analysis process also indicates how to choose the 
parameters and the initial values such that the IPRNGs fit specific periods. 

This paper is organized as follows. To make this paper self-contained, Section II presents some preliminaries 
that help to understand our analysis. In Section III, detailed analysis of the period distribution of the sequences 
generated by IPRNGs with ab = in Z N and xo e Z N . Then Section IV presents the detailed analysis of the period 
distribution of the sequences generated by IPRNGs with a e Z* , b e Z* and xq £ Z N . Finally, conclusion and some 
suggestions for future work are made in Section V. 

II. Preliminaries 

In this section, we introduce relevant notation and definition to facilitate the presentation of main results in the 
ensuing sections. For the knowledge of finite fields, please refer to [18]. 

A. Recurring relation over the finite field 

Let Z N be the residue ring of integers modulo N. When N is prime, (Z N , +, x) forms a finite field to which the 
modular operation is required in addition and multiplication. 

Definition 1: [18]. A sequence ao,a\,... satisfying the relation over (Z N ,+,x): 

a n+k = cia n+k -\ + c 2 a n+k - 2 + ... + c k a n mo&N, (1) 

where c, e Z N for all / = 1,2,.. ., is called a linear recurring sequence in Z N . 

The generation of the linear recurring sequences can be implemented on a linear feedback shift register which 
is a special kind of electronic switching circuit handling information in the form of elements in Z N . 

Definition 2: ifTSl . f(t) - t k - cit k ~ l - ■ ■ ■ - c k is called the characteristic polynomial of recurring relation (1). 
Also, the sequence OQ,a\,... is called the sequence generated by f(t) in Z N . 
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The characteristic polynomial f{t) plays an important role in analyzing the period of the sequence generated by 
recurring relation (1). It follows from |[T0l that if all roots of f(t) are with multiplicity 1, then the period T of 
a.Q,a\,,., equals to per(/). per(/) is the smallest integer such that f{t) | fP er( ^ - 1, which is called the period of 
/(f)- Then, we have the following proposition on per(/). 

Proposition 1: If f{t) can be factorized as f{t) = (t - a\){t - ai) . . . (t - a m ), where a, + ctj for all 1 < i, j < m 
and i + j, then per(/) = lcmCprdCaiXord^), ■ ■ ■ , ord(<2 m )), where lcm(ord(a'i),ord(a'2), • ■ • ,ord(a m )) is the least 
common multiple of ord(ai),ord(a2X ■ ■ ■ , ord(a m ). 

Proof: Let L = lcm(ord(a'i), ord(a2), . . . , ord(a m )). Since af - 1 = for all i - 1,2, . . . ,m, it is valid that 



for all i = 1,2, . . . ,m. Since a,- + aj for all 1 < i,j < m and i ± j, it is valid that t - a t and t - ctj are coprime for 
all i, j. Thus, (t - a?i)(t - ai) . . . (t - a m ) \ t L — 1, which means that f(t) \ t L - 1. By the property of the order, we 



In I0, ifTOll . Proposition 1 is employed to analyze the period distributions of two linear maps: the Chebyshev map 
and the generalized discrete cat map, whose characteristic polynomials can be expressed as f(t) = t 2 + at+ 1 e Z N [t], 
where ,/V is an integer. If a and ft are roots of f(t), then it must hold that a/3 - 1. Thus, ord(a) = ord(yS). 
By Proposition 1, we have per(/) = ord(a), so T = ord(ar). However, if the characteristic polynomial is fit) - 
t 2 + at + b e Z N [t], whose roots are a and /?, where b + 1, we can not conclude that ord(a) = ord(^3). In order 
to analyze the period T, we should analyze ord(ar) and ord(/3), respectively. If ,/V is not chosen properly, i.e., both 
N - I and N + I has many divisors, the analysis process is rather complicated. This obstacle prompts us to adopt 
another approach which will be presented in Section IV. 

B. IPRNGs over the finite field 

In this paper, we consider the following IPRNG proposed in O over (Z N , +, x): 



for all n > 1, where Af > 3 is a prime, a,b £ Z N . The initial value associated with model (2) is given by xo e Z N . 

Hereafter, we denote S(x ;a,b) as the sequence generated by model (2) starts from xq for given a, b. Then, we 
have the following definition on the period of S(xa,a, b). 

Definition 3: For every initial value x^ e Z N , the smallest integer L(xo;a,b) such that x, !+ L(jt ;a,fo) = x„ for all 
n >no >0 is called the period of the IPRNGs correspond to a, b and xo, where «o is a nonnegative integer. 

Remark 1: It is noteworthy that the sequence generated by the IPRNGs may not be purely periodic, i.e. every 
period start from xo, which is different from the case for the Chebyshev map and the generalized discrete Arnold cat 
map. Its period depends on not only the control parameters a, b but also the initial value xo, this will be illustrated 
in Section III and Section IV. 

Throughout this paper, Z N denotes the residue ring of integers modulo denotes the group of all units in 

Z N . (Z N , +, x) denotes the finite field where addition and multiplication are all modular operations. For a € Z N , 
denote ord(a) as the order of a in Z N . GF(N 2 ) denotes a finite field with ,/V 2 elements. ip(n), i.e., Eulers totient 



t - a t | t L - 1 



have per(/) = L. The proof is completed. 




(2) 
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function, denotes the number of positive integers which are both less than or equal to the positive integer and 
coprime with n. 

III. Period distribution of IPRNGs with ab = in Z n and xo € Z N 

When ab = in Z^ and xq e Zyy, there are IN 2 - N IPRNGs. It would be better if we have an impression on 
what the period distribution with ab = in Z N and xo € Z N looks like. Fig. 1 is a plot of the period distribution of 
IPRNGs (2) with ab = in Z31 and xo e Z31. It can be seen from Fig. 1 that the periods distribute very sparsely, 
some exist and some do not. 

Period Distribution of IPRNGs with ab=0 in Z 31 and x Q e Z 31 



1000 - 
800 - 

CD 
Z 
QC 

z 600 " 

"o 

i 

0) 
-CJ 

E 

Z 400- 
200 - 

qLLI 1 1 1 1 1 1 l_ 

5 10 15 20 25 30 35 

Periods 

Fig. 1. Period distribution of IPRNGs with ab = in Z31 and xo 6 Z31. 

In lfl"3l . Chou has considered the periods of IPRNGs for ab = in Z N and xq € Z N . The results are listed as 
follows 

Proposition 2: Suppose a = 0, then x„ = b for all n > 1 and L(xo;0, b) - 1. 

Proposition 3: Suppose and & = 0. 

(PI) If x = 0, then x n = for all n > 1 and L(0;a,b) = 1. 

(P2) If a = Xy and xo ^ 0, then x„ = xo for all « > 1 and L(xo; x^, fe) = 1. 

(P3) If a + x\ and x # 0, then x„ + 2 = x„ for all n > 1 and L(xo; a, b) = 2. 

Now, all the possible periods for this case are revealed. In the following, we will count the number of IPRNGs 
for each specific period and present the period distribution. 

Theorem 1: For IPRNG (2) with ab - in Z N and x e Z N , the possible periods and the number of each special 
period are given in Table I. 

Proof: For L(xo;a,b) = 1, there are three cases: 
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TABLE I 

Period distribution of IPRNGs with ab = in Z n and x e Z N . 



Periods 


Number of IPRNGs 


1 


N 2 + 2N - 2 


2 


(N - 2)(N - 1) 



TABLE II 

Period distribution of IPRNGs with ab = in Z 31 and x € Z 3 ,. 



Periods 


Number of IPRNGs 


1 


1021 


2 


870 



(i) a = 0. Here, the choice of a is unique and there are N choices of b and TV choices of xq. Thus, there are N 2 
IPRNGs. 

(ii) a + 0, b = and xo = 0. Here, there are TV - 1 choices of a and the choices of b and xq are unique. Thus, 
there are N - 1 IPRNGs. 

(iii) a + 0, b = and a = x^. Here, there is a unique choice of ft. Since a ± and a = x^, it is valid that xo + 0. 
Thus, there are N - 1 choices of xo. Once xo is chosen, a is uniquely determined. Thus, there are N - 1 IPRNGs. 

Combining (i), (ii) and (iii), we have there are N 2 + 2N-2 IPRNGs for L(x ; a,b) = l. 

For L(xo;a, b) = 2, since xo + 0, there are AT - 1 choices of xo. Once xq is chosen, combining a + 0, there are 
N - 2 choices of a and a unique choice of b. Thus, there are (N - 2)(N - 1) IPRNGs. The proof is completed. ■ 

Example 1: The following example is given to compare experimental and the theoretical results. A computer 
program has been written to exhaust all possible IPRNGs with ab = in Z31 and xo e Z31 to find the period by 
brute force, the results are shown in Fig. 1. 

Table II lists the complete result we have obtained. It provides the period distribution of the IPRNGs. As it is 
shown in Fig. 1 and Table II, the theoretical and experimental results fit well. The maximal period is 2 while the 
minimal period is 1. The analysis process also indicates how to choose the parameters and the initial values such 
that the IPRNGs fit specific periods. 

IV. Period distribution of IPRNGs with a e Z* , b e Z^, and xo £ Z N 

In |[T3l . Chou described all possible periods of the model (2) with a e Z^, b e and xn e Z N and showed that 
these periods were related to the periods of several polynomials, see Theorem 2 and Theorem 4 in [13]. However, 
the author did not provide a feasible way to evaluate these periods. In the following, we will characterize the full 
information on the period distribution of sequences generated by IPRNG (2) with a, b traverse all elements in Z^ 
and xo traverses all elements in Z N . 
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When a, b traverse all elements in Z* and xq traverse all elements in Z N , there are (N - l) 2 N IPRNGs. It would 
be better if we have an impression on what the period distribution with a e Z* , b e Z* and xq e Z N looks like. Fig. 
2 is a plot of the period distribution of IPRNGs (2) with a e Z* v b e Z^ and xq e Z31. It can be seen from Fig. 2 
that the periods distribute very sparsely, some exist and some do not. In the following, the period distribution rules 
for a e Z* , b e Z* and Xq e Z N will be worked out analytically. 



Period Distribution of IPRNGs with aeC.be Z* and x n s Z„. 
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Fig. 2. Period distribution of IPRNGs with a e Z* , b e Z* and x € Z 31 . 



In order to get the main results in the rest of this paper, we provide an important lemma in [13] which transforms 
the sequence generated by IPRNGs to 2-dimensional LFSR sequences. 
Lemma 1: |[T3l . Let a, b and xq are in Z N . Define the LFSR 

y„+2 = by n +\ + ay n , (3) 

for all n > 0, where yo = 1, y\ = xq. Then if m > is an integer such that y„ e Z^ c for all < n < m, then 
Xn - yn+iy~n 1 for all < n < m. Moreover, m is the smallest positive integer satisfying x m - if and only if m + 1 is 
the smallest integer satisfying y m +\ = 0. 

Let fit) = t 1 - bt - a be the characteristic polynomial of LFSR (3). If f{t) has a root with multiplicity 2, i.e., 
f(t) = (t - a) 2 , then a = -a 2 and b = 2a. It follows from (3) that 

y n+2 = 2ay n+l - a 2 y n . (4) 

By simple calculation, we can get the general term of (4) 

y n = a n (n(a- l x - 1) + 1). (5) 
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If fit) has two distinct roots with multiplicity 1, i.e., fit) = (t - a)(t -fi) and a+ fi, then a - -a/3 and b - a+jS. 
It follows from (3) that 

y n+2 = (a + f3)y n+ i - af3y n . (6) 

By simple calculation, we can get the general term of (6) 

y n = (a -Pf\xo -f3)a" + (a - x ){?). (7) 

It can be observed from (5) and (7) that the general terms of (3) are different when fit) has a root with multiplicity 
2 and has two distinct roots with multiplicity 1. Thus, we will discuss these two cases separately. 

A. fit) has a root with multiplicity 2 

We suppose that a is a root of f(t), i.e., f(t) - (t-a) 2 . In this case, it must holds that a e Z N . In fact, if a £ Z N , 
which means that fit) is irreducible in Z N [t], then fit) must have two roots in GF(Af 2 ) and all roots of fit) are a 
and ff", where a and a N are in GF(;V 2 ) but not in Z N . Since fit) has a root with multiplicity 2, it must hold that 
a N - a. Thus, a N ~ l - 1, which means that ord(or) | N - 1. Therefore, a e Z N , which is a contradiction. 

It follows from (5) that if xq £ a, then y n must contain 0, which means that 5(xo;a, b) must contain some 
elements in 0; Otherwise, y n dose not contain 0, which means that 5(xo;a, b) does not contain 0. 

Proposition 4: Suppose fit) has a root with multiplicity 2 in Z N . If xq + a, then L(xo;a, b) - N - 1 and there 
are (N - l) 2 IPRNGs of period N - 1. 
Proof: Period analysis. 

Since xq + a, it is valid that y n must contain 0. Thus, L(xo;a, b) = Lib\a,b). When xo - 2a, it follows from (5) 
that y n - in + l)a". Thus, n = N - 1 is the smallest integer such that y n - 0. By lemma 1, we have Af - 2 is the 
smallest integer such that x w _2 = 0. Thus, x^-i - b, which means that Lib\a,b) - N - 1. 

Counting. 

When a traverses all elements in Z*, there are N - 1 choices of a. Since fit) = it - a) 2 , it is valid that a and 
b are uniquely determined by a chosen a. Also, it follows from xo + a that there are ;V - 1 choices of xq. Thus, 
there are (;V - l) 2 IPRNGs of period N - I. The proof is completed. ■ 

Proposition 5: Suppose fit) has a root with multiplicity 2 in Z N [t]. If xo = a, then L(xo;a, b) = 1 and there are 
N- 1 IPRNGs of period 1. 
Proof: Period analysis. 

Since xo = a, it is valid that y n does not contain 0. It follows from (5) that y n = a". By lemma 1, we can get 
that x n - a for all n - 1, 2, . . .. Thus, L(xo; a, b) - 1. 
Counting. 

When a traverses all elements in Z^, there are W - 1 choices of or. Since /(f) = it - a) 2 , it is valid that a and 
/> are uniquely determined by a chosen a. Also, it follows from xo = a that there is a unique choice of x<). Thus, 
there are iV - 1 IPRNGs of period 1 . The proof is completed. ■ 
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B. /(f) has two distinct roots with multiplicity 1 
It follows from (7) that y n - if and only if 

(xo-aXxo-B)- 1 =(a8- 1 y. (8) 

For presentation convenience, we denote set Q = {aB~ [ ,(aB~ 1 ) 2 , {aB~ l ) mi{al3 

If (xo - a)(xo - B)~ l e Q, there exists 1 < n < p - 1 such that (8) holds, thus, S(xo\a,b) must contains some 
elements in 0; if (xo - a)(xo - B)~ l Q, there does not exist any n such that (10) holds, thus, S{xo\a,b) does not 
contain any element in 0. 

On the other hand, if either xq - a - or xq -B - 0, then y n + for all n - 1 , 2, . . ., which means that 5 (xq\ a, b) 
does not contain any element in 0. 

In the following, we will provide three lemmas which are necessary for our analysis. 

Lemma 2: Suppose a e Z*, b e Z*. Then, if a,B are two distinct roots of f(t), then ord(a/? _1 ) > 2. 

Proof: Since fceZjJ and b - a + B, it holds that a + B + 0. Combining a -B + 0, we have aB~ l -a~ x B + 0, 
which means that aB~ l + a~ l B. If ordiaB' 1 ) = 1, then it must hold that aB~ l = 1 and aB~ l - 1, which contradicts 
to aB~ l ± a~ l B. If ord(aB~ l ) - 2, then it follows from (p(2) - 1. Thus, aB~ l = a~ l B, which is a contradiction. The 
proof is completed. ■ 

Lemma 3: Suppose a e Z*, b e Z^. If a,B are two distinct roots of /(f), then aB~ l and a~ l B are two roots of 
g(t) = t 2 + (a- l b 2 + 2)t + \. 

Proof: Since a, 8 are two distinct roots of f(t), it is valid that a = -aB and b - a + B. Then, it is easy to 
verify that aB' 1 and a~ l B are roots of g(t). The proof is completed. ■ 
Lemma 4: Suppose a e Z^, b e Z^. If a,B are two distinct roots of f(t), then a~ l b 2 is uniquely determined by 
aB- 1 . 

Proof: Since aB' 1 and a~ v B are roots of g(t), it holds that a^b 2 + 2 - aB' 1 + a~ x B. 
If a _1 b 2 is not uniquely determined by aB~ l or a~ x B, then there exist aifi^ 1 and a^B^ with aiyS]" 1 ^ a^yS^ 1 an d 
^ (a-if^y 1 , such that ai/Jj" 1 +a^ 1 B l = atB~^ +a~^Bi. Let yi - aiyS]" 1 and 72 = UiP^, then we have y! ^ 
and yi ^72- However, by simple calculation, we have j\ + y" 1 = y2 + 1 if and only if (yiy2 - l)(yi - y2) = 0, 
which means that either yiy2 = 1 or yi = 72. These are the contradictions. The proof is completed. ■ 
When f{t) has a root with multiplicity 2, its roots are in Z N . However, when /(f) has two distinct roots with 
multiplicity 1, its roots may be in GF(iV 2 ) but not in Z N . Therefore, it is nature to consider the the following two 
cases separately: 1) a and B are in Z N ; 2) a and B are in GF(Af 2 ) but not in Z N . 
1) a and B are in Z N : 

Proposition 6: Suppose /(f) has two distinct roots with multiplicity 1 in Z N . If (xo - a)(xo - E) + and (xq - 
a)(x -/3)" 1 e O, then L(x ;a,b) traverses the set {k - 1 : k > 2, k \ N - 1}. For each k, there are (k - l)(N - 1)^ 
IPRNGs of period k- 1. 
Proof: Period analysis. 

If (xo - a)(xo -yS)" 1 e Q, then S(xo;a, b) must contain 0. Thus, L(xo\a,b) - L(b;a,b). Then, we consider the 
case that xq - b, which means that xq - a + 8. By (7), we have y n - if and only if (ayS _1 )" +1 = 1. Thus, 
n - ord(o / S" 1 ) - 1 is the smallest integer such that y n - 0. By Lemma 1, we have x n -\ - 0, thus, x n - b, which 
means that L(xo;a,b) = ord(a y S" 1 ) - 1. 
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Since afi 1 e Z*, it holds that ord(<2 ( S l ) \ N - 1 and ord(a/3 l ) > 2. Hence, L(xo;a,b) traverses the set [k - 1 : 
k>2,k\p-\}. 
Counting. 

For L(xq; a,b) - k - 1, there are k - 1 xo's such that (xo - a)(xo e Q. Thus, there are k - 1 choices of xo. 

Since a/T 1 and a" 1 /? are roots of g(t), it holds that a~ l b 2 + 2 = a/3~ l + a~ l [3. Thus, a = b^a/T 1 + a~ l [3 - 2). 
By Lemma 4, we have a~ l b 2 is uniquely determined by aj3~ l . Thus, when ord(ayS _1 ) = k, there are ^ different 
a/3" 1 + ar _1 yS - 2 's. Thus, there are ^ choices of ar/T 1 + cr 1 /? - 2. 

As a result of ord(a{3~ 1 ) > 2, we have a/T 1 + a _1 y8 - 2 is a unit. The number of choices of b is N - 1. Once & 
and Qf/T 1 + a" 1 /? -2 are chosen, a is uniquely determined. Hence, for each k, there are (k - l)(N - 1)^ IPRNGs 
of period k - 1 . The proof is completed. ■ 

Proposition 7: Suppose f(t) has two distinct roots with multiplicity 1 in Z N . If (xo-a)(xo-fi) + and (xo-ar)(xo- 
£ Q, then L(x ;a,b) traverses the set {k : 2 < k < N- \,k \ N - 1}. For each fc, there are (N-(k- l))(N- 1)^ 
IPRNGs of period it - 1. 
Proof: Period analysis. 

If (xo - a)(xo - £ ^, then S(xo;a,b) does not contain 0. It follows from Lemma 1 and (7) that x n - xo if 
and only if 

(xo - or)(x - jSK = (x - a)(x - AS" . (9) 

Since (xo - a)(xo -/?) ^ 0, (9) is equivalent to (afT x ) n - 1. Thus, L(xo;a,b) - ord(a/3~ l ). 

By lemma 2, we have ord(ay8 _1 ) > 2. On the other hand, since (xo - a)(xo - £1, it must hold that 

a/?" 1 is not a primitive element in Z N , which means that ord(ayS _1 ) + N - 1 Hence, L(xo;a,b) traverses the set 
{k:2<k<N-l,k\N-l}. 

Counting. 

For L(xo; a, b) = k, there are N -(k- I) xo's such that (xo - a)(xo -yS)" 1 £ Q. Thus, there are N - (k - 1) choices 
of Xo- 

Since a/T 1 and a~ l j3 are roots of g(t), it holds that a _1 & 2 + 2 = or/? -1 + Thus, a = b 2 (ap~ l + a~ l [3 - 2). 

By Lemma 4, we have a~ l b 2 is uniquely determined by aj3~ l . Thus, when ord(o/S _1 ) = £, there are ^ different 
a/3" 1 + a-'yS - 2 's. Thus, there are ^ choices of or/?" 1 + a" 1 /? - 2. 

As a result of ord^/T 1 ) > 2, we have a/3" 1 + a -1 /? - 2 is a unit. The number of choices of b is N - 1. Once 
& and a/T 1 + ar _1 /3 - 2 are chosen, a is uniquely determined. Hence, for each k, there are (N - (k - l))(N - 1)^ 
IPRNGs of period k. The proof is completed. ■ 

Proposition 8: Suppose f(t) has two distinct roots with multiplicity 1 in Z N . If (xo - a)(xo - fi) = 0, then 
L(x ; a,b) = l and there are (N - 3)(N - 1) IPRNGs of period k. 
Proof: Period analysis. 

If (xo - a)(xo - P) = 0, then y n = x n w Thus, x„ = xo for all n — 1,2,..., which means that L(xo; a, b) - 1. 
Counting. 

For L(xo; a, b) - 1, a,y8 traverses all suitable elements in Z* , i.e. both a- and a+yS are units, there are (W ~ 3) 2 (W ~ 1) 
pairs of a,/3. Once a,/? are chosen, there are 2 choices of xo. Thus, there are (N - 3)(N - 1) IPRNGs of period 1. 
The proof is completed. ■ 



10 



2) a and ft are in GF{N 2 ) but not in Z N : In this case, it must hold that (xo - a)(xo -fi) ^ 0. Then, we have the 
following results on the period distribution of IPRNGs for this case. 

Proposition 9: Suppose f(t) has two distinct roots with multiplicity 1 in GF(A^ 2 ) but not in Z N . If (xo - a)(xo - 
G Q,, then L(x ; a, b) traverses the set {k - 1 : k > 2, k | N + 1 }. For each k, there are (k - l)(N - 1)^ IPRNGs 
of period k - 1 . 

Proof: Period analysis. 

If (xo - aO(xo -yS)" 1 e Q, then 5(xo;a, b) must contain 0. Thus, L(xo;a,b) - L(b;a,b). Then, we consider the 
case that xo = b, which means that xq - a + j3. By (7), we have y n - if and only if (a/3~ l ) n+l = 1. Thus, 
n - ord(a/3~ l ) - 1 is the smallest integer such that y„ - 0. By Lemma 1, we have x„_i = 0, thus, x„ = b, which 
means that L(xo;a,b) = ord(ary6 _1 ) - 1. 

By lemma 2, we have ord^" 1 ) > 2. Since a/3" 1 G GF(N 2 ), it holds that ordta/T 1 ) | N 2 - 1. Notice that a and 
yS are not in Z N and a £ (3, it is valid that a/3~ l £ Z N . Since Z N c GF(A^ 2 ), it is valid that all units in Z N are 
contained in GF(Af 2 ), which means that ord(a/8 _1 ) \ N - 1. Thus, ord(ayS _1 ) | Af + 1. Hence, L(xo;a,b) traverses the 
set{Jfc-l : k> 2,k\N + 1}. 

Counting. 

For L(xo; a,b) - k - 1, there are - 1 xo's such that (xo - a)(xo - jS)" 1 G Q. Thus, there are £ - 1 choices of xo. 

Since af3~ l and or -1 /? are roots of g(t), it holds that a~ l b 2 + 2 = a/3~ l + a~ l [3. Thus, a = b 2 (a/3~ l + a _1 y6 - 2). 
By Lemma 4, we have a~ l b 2 is uniquely determined by a/T 1 . Thus, when ord(ayS _1 ) = k, there are ^ different 
a/3' 1 + a _1 yS - 2 's. Hence, there are choices of a/3' 1 + a -1 /? - 2. 

As a result of ord(ayS _1 ) > 2, we have aj3~ l + a~ l fi-2 is a unit. The number of choices of b is N - 1. Once & 
and a/? -1 + a -1 /? - 2 are chosen, a is uniquely determined. Hence, for each k, there are (k - l)(N - 1)^ IPRNGs 
of period k - 1 . The proof is completed. ■ 

Proposition 10: Suppose /(f) has two distinct roots with multiplicity 1 in GF(A^ 2 ) but not in Z N . If (xo - a)(xo - 
IS)' 1 $ Q, then L(x ;a,b) traverses the set {k : 2 < k < N + 1, k | N+ 1}. For each k, there are (N - (k - l))(N - l)*f- 
IPRNGs of period k. 

Proof: Period analysis. 

If (xo - ar)(xo - £ then S(xo',a,b) does not contain 0. It follows from Lemma 1 and (7) that x n - Xq if 
and only if 

(x - a)(x - /3)a" = (x - a)(x - f3)f3". (10) 

Since (xo - a)(xo -fi) + 0, (10) is equivalent to (aft' 1 )" - 1. Thus, L(xo;a,b) - ord(a/3 _1 ). 

By lemma 2, we have ord(a/3~ l ) > 2. Since a/3~ l e GF(N 2 ), it holds that ord^/T 1 ) | N 2 - 1. Notice that a and /? 
are not in Z N and a £ j3, it is valid that OyS -1 £ Z#. Since Z N c GF(A^ 2 ), it is valid that all units in Z N are contained 
in GF(N 2 ), which means that ord^/?" 1 ) \N -I. Thus, ord(ayS _1 ) \ N+\. 

On the other hand, since (xo - ar)(xo - £ O., it must hold that a/3~ l is not a primitive element in GF(A^ 2 ), 
which means that ord(oryS _1 ) + N + 1 Hence, L(xo; a, b) traverses the set {k : 2 < k < N + 1, k \ N + 1}. 

Counting. 

For L(xo; a, b) = k, there are Af - (k - 1) xo's such that (xo - a)(xo -yS)" 1 g Q. Thus, there are Af - (k - 1) choices 
of Xq. 
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TABLE III 

Period distribution of IPRNGs with a6ZJ,kZJ and x q e Z N . 



Periods 


Number of IPRNGs 


1 


(N - 2)(N - 1) 


N—l 


(N - l) 2 


{k-1 :k>2,k\N-l) 


{k-\){N-\)1§- 


[k- l:k>2,k\N+l] 


(k- l)(N- 1)^ 


[k:2<k<N -\,k\N -1} 


(N-ik-mN-l)^ 


{k : 2 < k< N + l,k\ N+ 1} 


(N-(k-mN-l)^ 



Since a/? -1 and a~ l p are roots of g(t), it holds that a _1 & 2 + 2 = ayS" 1 + a _1 y3. Thus, a = b 2 (a/3~ [ + a~ l /3 - 2). 
By Lemma 4, we have a~ l b 2 is uniquely determined by aj3~ l . Thus, when ord(afi~ l ) = k, there are ^ different 
a/3 -1 + a _1 yS - 2 's. Thus, there are ^ choices of arjS" 1 + a~ l j3 - 2. 

As a result of ord^/?" 1 ) > 2, we have ajS" 1 + a" 1 /? - 2 is a unit. The number of choices of b is N - 1. Once 
& and ar/T 1 + ar" 1 /? - 2 are chosen, a is uniquely determined. Hence, for each k, there are (N - (k - l))(N - 1)^ 
IPRNGs of period k. The proof is completed. ■ 

Now, we summarize the results in the following theorem. 

Theorem 2: For IPRNGs with a e Z^, b e and xq e Z N , the possible periods and the number of each special 
period are given in Table III. 

Remark 2: It should be mentioned that Af > 3 is an important condition in Theorem 3, because of some periods 
require k > 2,k \ N - 1, which implies that N > 3. 

Example 2: The following example is given to compare experimental and the theoretical results. A computer 
program has been written to exhaust all possible IPRNGs with a e and b e Z^ and xq e Z-$i to find the period 
by brute force, the results are shown in Fig. 2. 

Table IV lists the complete result we have obtained. It provides the period distribution of the IPRNGs. As it is 
shown in Fig. 2 and Table IV, the theoretical and experimental results fit well. The maximal period is 3 1 while the 
minimal period is 1. The analysis process also indicates how to choose the parameters and the initial values such 
that the IPRNGs fit specific periods. 

V. Conclusion 

The period distribution of the IPRNGs over (Z N , +, X) for prime N > 3 has been analyzed. The period distribution 
of IPRNGs is obtained by the generating function method and the finite field theory. The analysis process also 
indicates how to choose the parameters and the initial values such that the IPRNGs fit specific periods. The analysis 
results show that the period distribution is poor if Af is not chosen properly and there are many small periods. 
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TABLE IV 

Period distribution of IPRNGs with a e Z* p b 6 Z*j and x € Z 31 



Periods 


1 


2 


3 


4 


5 


6 


7 


8 


Number of IPRNGs 


870 


60 


900 


1080 


1650 


720 


420 


1440 


Periods 


9 


10 


14 


15 


16 


29 


30 


31 


Number of IPRNGs 


540 


1200 


1680 


3600 


1920 


3480 


900 


7440 



A feasible way to resolve the open problem proposed by Sole et al. in Ifl4l is to analyze the period distribution 
of the sequence generated by IPRNGs over Galois rings. However, the period distribution of IPRNG sequences 
varies substantially as N changes, when N is a prime, (Z N , +, x) is a finite field; when N is a power of prime, i.e., 
./V = p e , (Z N , +, x) is a Galois ring. The structure of (Z p <-, +, x) is more complicated than that of (Z N , +, x), because 
of (Z p <-,+, x) contains many zero divisors but (Z N , +, x) does not, this difference makes the fact that the analysis 
in Galois rings is more complicated than that in finite fields, which is challenging and deserves intensive study. 
Another important problem is to characterize the security properties of the IPRNGs. These topics are interesting 
and need further research. 

Acknowledgements 

This work was partially supported by the National Natural Science Foundation of China under Grant 60974132, 
the Natural Science Foundation Project of CQ CSTC201 1BA6026 and the Scientific & Technological Research 
Projects of CQ KJ1 10424. 

References 

[1] T. Stojanovski, L. Kocarev, Chaos-based random number generators-part I: analysis, IEEE Trans. Circuits Syst. I, Fundam. Theory 
Appl. 48(3)(2009) 281-299. 

[2] J. Eichenauer, J. Lehn, A non-linear congruential pseudorandom number generator, Stat. Pap. 27(1)(1986) 315-326. 

[3] R.S. Katti, R.G Kavasseriand, V. Sai, Pseudorandom bit generation using coupled congruential generators, IEEE Trans. Circuits Syst. 

II, Exp. Briefs 57(3)(2010) 203-207. 
[4] T. Addabbo, M. Alioto, A. Fort, A. Pasini, S. Rocchi, V. Vignoli, A class of maximum-period nonlinear congruential generators derived 

from the Renyi chaotic map, IEEE Trans. Circuits Syst. I: Reg. Papers 54(4)(2007) 816-828. 
[5] G.R. Chen, Y.B. Mao, C.K. Chui, A symmetric image encryption scheme based on 3D chaotic cat maps, Chaos Soliton. Fract. 

21(3)(2004) 749-761. 

[6] L. Kocarev, G. Jakimoski, Pseudorandom bits generated by chaotic maps, IEEE Trans. Circuits Syst. I, Fundam. Theory Appl. 
50(1)(2003) 123-126. 

[7] L. Kocarev, J. Makraduli and P. Amato, Public-Key Encryption Based on Chebyshev Polynomials, Circ. Syst. Signal Pr. 24(5)(2005) 
497-517. 

[8] R. Kuehnel, J. Theiler, Y. Wang, Parallel random number generators for sequences uniformly distributed over any range of integers, 

IEEE Trans. Circuits Syst. I, Reg. Papers 53(7)(2006) 1496-1505. 
[9] F. Chen, X.F. Liao, T. Xiang, H.Y. Zheng, Security analysis of the public key algorithm based on Chebyshev polynomials over the 

integer ring Z N , Inform. Sciences 181(22)(201 1) 5110-5118. 



13 



[10] X.F. Liao, F. Chen, K.W. Wong, On the security of public-key algorithms based on chebyshev polynomials over the finite field Z N , 

IEEE Trans. Comput. 59(10)(2010) 1392-1401. 
[11] F. Chen, K.W. Wong, X.F. Liao, T. Xiang, Period distribution of generalized discrete Arnold cat map for N = p e , IEEE Trans. Inform. 

Theory 58(1)(2012) 445-452. 

[12] F. Chen, X.F. Liao, K.W. Wong, Q. Han, Y. Li, Period distribution analysis of some linear maps, Commun. Nonlinear Sci. 17(10)(2012) 
3848-3856. 

[13] W.S. Chou, The period lengths of inversive pseudorandom vector generations, Finite Fields Th. App. 1(1)(1995) 126-132. 

[14] P. Sole, D. Zinoviev, Inversive pseudorandom numbers over Galois rings, Eur. J. of Combin. 30(2)(2009) 458-467. 

[15] J. Gutierrez, H. Niederreiter,I.E. Shparlinski, On the Multidimensional Distribution of Inversive Congruential Pseudorandom Numbers 

in Parts of the Period, Monatsh. Math. 129(1)(2000) 31-36. 
[16] H. Niederreiter, I.E. Shparlinski, On the distribution of inversive congruential pseudorandom numbers in parts of the period, Math. 

comput. 70 (236)(2000) 1569-1574. 
[17] R.A. Rueppel, Analysis and Design of Stream Ciphers, New York, NY: Springer- Verlag, 1986. 

[18] R. Lidl and H. Niederreiter, Finite Fields, Vol. 20, Encyclopedia of Mathematics and Its Applications, Amsterdam, The Netherlands: 
Addison-Wesley, 1983. 



